SOC analyst interview questions
What are the types of Threat Intelligence
• Strategic Threat Intelligence • Tactical Threat Intelligence • Technical Threat Intelligence • Operational Threat Intelligence
With which security Event ID can the Successfully RDP connection be detected
4624
With which event id can failed logons be detected
4625
What is WAF
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. (Cloudflare)
Explain salted hashes
A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like hash tables. (Auth0)
What is AAA
Authentication: Authentication involves a user providing information about who they are. Users present login credentials that affirm they are who they claim. (Fortinet) Authorization: Authorization follows authentication. During authorization, a user can be granted privileges to access certain areas of a network or system. (Fortinet) Accounting: Accounting keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, the data they sent or received, their Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the different services they accessed. (Fortinet)
What are black hat, white hat and gray hat
Blat hat: Black-Hat Hackers are those hackers who enter the system without taking owners' permission. These hackers use vulnerabilities as entry points. They hack systems illegally. They use their skills to deceive and harm people. (GeeksforGeeks) White hat: White-Hat Hackers are also known as Ethical Hackers. They are certified hackers who learn hacking from courses. These are good hackers who try to secure our data, websites. With the rise of cyberattacks organizations and governments have come to understand that they need ethical hackers. (GeeksforGeeks) Gray hat: Gray-Hat Hackers are a mix of both black and white hat hackers. These types of hackers find vulnerabilities in systems without the permission of owners. They don't have any malicious intent. However, this type of hacking is still considered illegal. But they never share information with black hat hackers. They find issues and report the owner, sometimes requesting a small amount of money to fix it. (GeeksforGeeks)
What is the name of the software that compiles of the written codes
Compiler
Explain CSRF.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. (OWASP)
What is Cyber Kill Chain
Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst's understanding of an adversary's tactics, techniques and procedures. (Lockheed Martin) 1. Reconnaissance • Harvest information (emails, confident info etc...) 2. Weaponization • Coupling exploit with backdoor into deliverable payload 3. Delivery • Delivering Weaponised bundle to the victim via usb, email, web etc... 4. Exploitation • Exploiting a vulnerability to execute a code on the victim's system 5. Installation • Installing malware on the asset 6. Command and control (C2) • Command channel for remote manipulation of the victim 7. Action on Objectives • With "hand on keyboard" access intruders accomplish their original goal
What is the name of the software that translates machine codes into assembly language
Disassembler
What are encoding, hashing, encryption
Encoding: Converts the data in the desired format required for exchange between different systems. Hashing: Maintains the integrity of a message or data. Any change did any day could be noticed. Encryption: Ensures that the data is secure and one needs a digital verification code or image in order to open it or access it.
What is firewall
Firewall is a device that allows or blocks the network traffic according to the rules.
What is compliance
Following the set of standards authorized by an organization, independent part, or government.
What are HIDS and NIDS
HIDS: HIDS means Host Intrusion Detection System. HIDS is located on each host. NIDS: NIDS means Network Intrusion Detection System. NIDS is located in the network.
What is the difference between hashing and encryption
Hashing: Hashing is the process of converting the information into a key using a hash function. The original information cannot be retrieved from the hash key by any means. (GeeksforGeeks) Encryption: Encryption is the process of converting a normal readable message known as plaintext into a garbage message or not readable message known as Ciphertext. The ciphertext obtained from the encryption can easily be transformed into plaintext using the encryption key. (GeeksforGeeks) Difference: • The hash function does not need a key to operate. • While the length of the output can variable in encryption algorithms, there is a fixed output length in hashing algorithms. • Encryption is a two-way function that includes encryption and decryption whilst hashing is a one-way function that changes a plain text to a unique digest that is irreversible.
Name some of the Threat Intelligence Platforms
IBM X Force Exchange, Cisco Talos, OTX AlienVault
Do you have any project that we can look at
If you do have any project to show, make sure that you prepare it before the interview. & Explain 2FA.?- 2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. (Authy)
What is Indicators of Attack (IOAs)
Indicators of Attack (IOAs) demonstrate the intentions behind a cyberattack and the techniques used by the threat actor to accomplish their objectives. The specific cyber threats arming the attack, like malware, ransomware, or advanced threats, are of little concern when analyzing IOAs. (UpGuard)
What Is Indicator Of Compromise (IOCs)
Indicators of compromise (IOCs) serve as forensic evidence of potential intrusions on a host system or network. These artifacts enable information security (InfoSec) professionals and system administrators to detect intrusion attempts or other malicious activities. Security researchers use IOCs to better analyze a particular malware's techniques and behaviors. IOCs also provides actionable threat intelligence that can be shared within the community to further improve an organization's incident response and remediation strategies. (TrendMico)
Explain Security Misconfiguration
It is a security vulnerability caused by incomplete or incorrect misconfiguration.
Explain the difference between LFI and RFI
LFI differs from RFI because the file that is intended to be included is on the same web server that the web application is hosted on.
What is MITRE ATT&CK
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. (MITRE ATT&CK)
What is port scanning
Port scanning is a method of determining which ports on a network are open and could be receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities. (Avast)
How can you define Blue Team and Red Team basically
Red team is attacker side, blue team is defender side.
What is SIEM
Security information and event management (SIEM), is a security solution that provides the real time logging of events in an environment. The actual purpose for event logging is to detect security threats. In general, SIEM products have a number of features. The ones that interest us most as SOC analysts are: they filter the data that they collect and create alerts for any suspicious events. (LetsDefend)
What is the difference between static and dynamic malware analysis
Static Analysis: It is the approach of analyzing malicious software by reverse engineering methods without running them. Generally, by decompile / disassemble the malware, each step that the malware will execute is analyzed, hence the behavior / capacity of the malware can be analyzed. Dynamic Analysis: It is the approach that examines the behavior of malicious software on the system by running it. In dynamic analysis, applications that can examine registry, file, network and process events are installed in the system, and their behavior is examined by running malicious software. It should also be noted that using only one approach may not be sufficient to analyze malware. Using both approaches together will give you to best results!
What is TAXII in Cyber Threat Intelligence (CTI)
TAXII, short for Trusted Automated eXchange of Intelligence Information, defines how cyber threat information can be shared via services and message exchanges. (anomali)
What is CIA triad
The three letters in "CIA triad" stand for Confidentiality, Integrity, and Availability. The CIA triad is a common model that forms the basis for the development of security systems. They are used for finding vulnerabilities and methods for creating solutions. (Fortinet) Confidentiality: Confidentiality involves the efforts of an organization to make sure data is kept secret or private. A key component of maintaining confidentiality is making sure that people without proper authorization are prevented from accessing assets important to your business. Integrity: Integrity involves making sure your data is trustworthy and free from tampering. The integrity of your data is maintained only if the data is authentic, accurate, and reliable. Availability: Systems, networks, and applications must be functioning as they should and when they should. Also, individuals with access to specific information must be able to consume it when they need to, and getting to the data should not take an inordinate amount of time.
What is Cyber Threat Intelligence (CTI)
Threat intelligence is the analysis of data using tools and techniques to generate meaningful information about existing or emerging threats targeting the organization that helps mitigate risks. Threat Intelligence helps organizations make faster, more informed security decisions and change their behavior from reactive to proactive to combat the attacks. (eccouncil)
Explain vulnerability, risk and threat.
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (src: NIST) Risk: the level of impact on agency operations (including mission functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. (src: NIST) Threat: Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (src: NIST)
Do you know any programming language
While this question is up to you, having a basic understanding of programming languages can be a plus for the interview.
Which field of which event should I look at so that I can detect RDP logons
You can detect RDP logon activities with event ID 4624. "Logon Type" value should be 10.
How does malware achieve persistence on Windows
• Services • Registry Run Keys (Run, RunOnce) • Task Scheduler • Infecting to clean files
Could you share some general endpoint security product categories
• Antivirus • EDR • XDR • DLP
How do you keep yourself updated with information security
• Reading daily infosec news from different resources. o The Hacker News o Malwarebytes Labs o HackRead o ThreatPost • By following infosec related social media accounts. • Telegram channels • Joining newsletters related to cyber security
Which event logs are available default on Windows
• Security • Application • System